Bug 1153486 (CVE-2014-6496)

Summary: CVE-2014-6496 mysql: unspecified vulnerability related to CLIENT:SSL:yaSSL (CPU October 2014)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, byte, chrisw, dallan, databases-maint, gkotton, hhorak, jdornak, jorton, jstanek, lhh, lpeer, markmc, mmaslano, mmuzila, rbryant, rohara, sclewis, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-16 08:06:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1153468    

Description Murray McAllister 2014-10-16 05:41:55 UTC
The following issue has been fixed in MySQL:

"Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier,
and 5.6.20 and earlier, allows remote attackers to affect availability
via vectors related to CLIENT:SSL:yaSSL, a different vulnerability
than CVE-2014-6494."

References:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Comment 1 Tomas Hoger 2014-10-16 08:06:42 UTC
MySQL packages in Red Hat Enterprise Linux and Fedora are built against system OpenSSL and do not use bundled yaSSL.  Hence they can not be affected by any yaSSL issues.

Statement:

This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 5, 6, and 7, as they use system OpenSSL library rather than yaSSL.